On 07/06/2021 11:44, xcorpius wrote:
Just one more thing.
I understand my mistake with the difference between encryption and digest.
Fortunately, the Tomcat committers have a sufficiently sound
understanding of both basic logic and basic cryptography not to waste
their time on such an exercise.
Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't?
It can't.
All Weblogic is doing is moving the goalposts. The database password may
be encrypted that just means the decryption key needs to be provided in
plain text instead. No matter how many levels of indirection (or perhaps
that should be misdirection) are applied, ultimately the application
server process needs access to a secret in plain text.
However complex the window dressing, it will come down to the operating
system limiting access to the plain text secret to one or more users.
This is fundamentally no different to the Tomcat recommendation to use
OS file permissions to limit access to the configuration file where the
secret is stored to the user used by Tomcat and root (or equivalent).
If you want to allow more general read access to configuration files
then there are simple ways to move the secrets to a separate, more
tightly controlled file.
Mark
https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477
Thanks,
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 7 de June de 2021 11:42, Mark Thomas <ma...@apache.org> wrote:
On 07/06/2021 09:56, xcorpius wrote:
Hello again!
Checking the documentation ... Tomcat can create an encrypted password with the
"digest.sh" tool for application passwords.
But you cannot create an encrypted password for the DB in the context.xml file.
The only solution without adding anything is to give restrictive permissions to
the context.xml file.
Wouldn't it be the same problem?
No.
Why can't I generate an encrypted password for the database with the "digest.sh" tool
instead of having to use a customized "factory"?
Digesting != encrypting.
Digests are one-way functions. A digested password is no use to a client
that needs to authenticate itself to a server.
I think people who develop Tomcat should consider this option.
Fortunately, the Tomcat committers have a sufficiently sound
understanding of both basic logic and basic cryptography not to waste
their time on such an exercise.
Mark
Thank you very much to all.
Xcorpius
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com wrote:
:-)
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote:
And when that isn't good enough for your senior management, take a look at the
Tomcat Vault in GITHUB. :-)
Dream * Excel * Explore * Inspire
Jon McAlexander
Infrastructure Engineer
Asst Vice President
Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508
jonmcalexan...@wellsfargo.com
Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020,
12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020,
12/30/2020, 12/31/2020
This message may contain confidential and/or privileged information. If you are
not the addressee or authorized to receive this for the addressee, you must not
use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you for
your cooperation.
-----Original Message-----
From: xcorpius xcorp...@protonmail.com.INVALID
Sent: Monday, April 26, 2021 8:36 AM
To: users@tomcat.apache.org
Subject: Re: Question about encrypting database passwords in the
context.xml file - Tomcat 9
Thanks Olaf!!!!
-------- Mensaje original --------
On 26 abr. 2021 14:02, Olaf Kock escribió:
On 26.04.21 13:10, xcorpius wrote:
Hi,
I wanted to ask about how to encrypt database passwords in the
context.xml file in Tomcat 9.
Hi,
please check this article:
https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
It covers the topic once and for all...
Olaf
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
--
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
